Linux Iptables: Block All Incoming Traffic But Allow SSH
Thanks to: http://www.cyberciti.biz/
This is very common scenario. You want to permit access to a remote machine only by SSH. You would like to block all incoming traffic to your system except ssh connection under Linux.
Add following rules to your iptables shell script:
Add following rules to your iptables shell script:
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
First rule will accept incoming (INPUT) tcp connection on port 22 (ssh server) and second rule will send response of incoming ssh server to client (OUTPUT) from our ssh server source port 22.
However, iptables with kernel 2.4/2.6 provides very powerful facility to filter rule based upon different connection states such as established or new connection etc. Here is complete small script to do this task:
#!/bin/sh # My system IP/set ip address of server SERVER_IP="65.55.12.13" # Flushing all rules iptables -F iptables -X # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Allow unlimited traffic on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow incoming ssh only iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT # make sure nothing comes or goes out of this box iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP
This script is purely strict firewall. It only allows incoming ssh. No other incoming service or ping request or no outgoing service or request allowed. Incoming ssh connection can be either new or already established one and that is what specified by state rule '-m state --state NEW,ESTABLISHED'. Outgoing ssh connection state can be established only. By default this script allows everyone to ssh in by rule -s 0/0. If you want this access limited by IP or network address then replace -s 0/0 with IP address. For example allow incoming ssh from IP 202.54.1.20:
# Allow incoming ssh only from IP 202.54.1.20 iptables -A INPUT -p tcp -s 202.54.1.20 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s $SERVER_IP -d 202.54.1.20 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
===================================================================================
OTROS SCRIPTS
#!/bin/bash #clear iptables iptables -F iptables -X #set default policy to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #accept everything no matter port on localhost iptables -A INPUT -i lo -j ACCEPT #allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow input on port 22, (established connections auto accepted) iptables -A INPUT -p tcp --dport 22 -j ACCEPT #allow traffic going to specific outbound ports iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT #... #drop anything that doesnt match the rules above iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP
Comentarios
Publicar un comentario
Dime si la información de este blog te sirvio.